existAfter purchasing a VPS you should spare security measuresAs we mentioned with fail2ban To protect ssh ,So even without changingsshPort (default is22),Also can be done to avoid brute force password,of course,We have opened the credentials to log in and closed the ssh password login option,But with fail2ban Kill those who keep trying to make us feel bot is also a pleasant thing。
In fact,apart from Use fail2ban Bind9 be used to prevent DNS amplification attacksouter,We can also use fail2ban To protect nginx ,After all, it works with regular match log file,The operator then iptables,So in theory, all applications can be written log can be used to generate fail2ban rules and protected。
This time we look,In addition to the default configuration outside,How can we use fail2ban To protect nginx
first of all
Configuration prison
Fail2ban is monitoring module,In fact, the default configuration has already written a lot of configuration,Of course, we need to manually start them。
|
1 |
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local |
fail2ban will automatically read .local Profiles,after thatIncrementalRead conf Configuration,This prevents you worked so hard to write configuration when updating it is overwritten。
Then we have to edit the configuration fail2ban we /etc/fail2ban/jail.local
The first is [DEFAULT] Fields,We can change some behavior parameters,For example, such an amendment (redundant configuration is not mentioned on the default retention,Do not bother to):
|
1 2 3 4 5 6 |
bantime = 3600 #默认是10分钟,这个是说要ban多久,我们改长一点 #下面这两个是说在多长时间内失败多少次就被屏蔽, #比如这个是在3600秒内失败6次就被屏蔽 findtime = 3600 maxretry = 6 |
The next step is to add our prison configured,The default configuration information and no built-in nginx ,Only apache:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
[nginx-http-auth] # HTTP 验证防暴力破解 enabled = true filter = nginx-http-auth port = http,https logpath = /var/log/nginx/error.log [nginx-badbots] #屏蔽恶意爬虫 enabled = true port = http,https filter = nginx-badbots logpath = /var/log/nginx/access.log maxretry = 2 [nginx-nohome] #避免恶意请求网站目录结构 enabled = true port = http,https filter = nginx-nohome logpath = /var/log/nginx/access.log maxretry = 2 [nginx-noproxy] #避免nginx被他人用于反向代理 enabled = true port = http,https filter = nginx-noproxy logpath = /var/log/nginx/access.log maxretry = 2 |
Note that this configuration is based on nginx logs,So you have to allow logging nginx,Some administrators would consider the performance to close the log,This article we will be lost meaning。
Another,Before you configure fail2ban,You should first installed nginx,Otherwise fail2ban not read nginx log,Will complain。
Configure rules for prison
Set up to enable prison,The next step is to create a rule to prison:
|
1 |
cd /etc/fail2ban/filter.d |
In this directory,This file is stored all the rules,A name of a configuration file,How many files there are that many rules,These rules are configured in the above prison filter Field call。
|
1 |
vi nginx-http-auth.conf |
This rule exists,We add a line in the rule configuration,In addition to filtering external account password error,Blank account or password error:
|
1 2 3 4 5 6 7 |
[Definition] failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ ignoreregex = |
Add the line is highlighted。
|
1 |
cp apache-badbots.conf nginx-badbots.conf |
Filtering rules crawler is ready,So we just need a change of name on it;
|
1 |
vi nginx-nohome.conf |
This is the filter to obtain directory:
|
1 2 3 4 5 |
[Definition] failregex = ^<HOST> -.*GET .*/~.* ignoreregex = |
|
1 |
vi nginx-noproxy.conf |
This is filtered back generations:
|
1 2 3 4 5 |
[Definition] failregex = ^<HOST> -.*GET http.* ignoreregex = |
Confirmation of effective
After finishing the above configuration,You can restart the fail2ban service fail2ban restart
Then you can command fail2ban-client status View,Not surprisingly,It should be like this:
|
1 2 3 4 |
➜ ~ fail2ban-client status Status |- Number of jail: 5 `- Jail list: nginx-badbots, nginx-http-auth, nginx-nohome, nginx-noproxy, sshd |
Original article written by LogStudio:R0uter's Blog » Fail2Ban protection of Nginx Advanced Configuration Services
Reproduced Please keep the source and description link:https://www.logcg.com/archives/2998.html
Hello! After I configure the settings according to the old iron,[nginx-http-auth]Configuration error:
ERROR No file(s) found for glob /var/log/nginx/*error.log
ERROR Failed during configuration: Have not found any log file for nginx-http-auth jail。
The Internet to find a large circle,But still can not find a solution,So to ask the old iron。
First of all,You make sure you correctly configured and started nginx,That opens the log function,Some of the default configuration is not open log,So naturally you can not find fail2ban log files。
Secondly,Your log directory is in the configuration nginx,I give the example of the path is a more common path,But it depends on your specific configuration,Some people even like writing to a corresponding wwwroot in short, depends on your specific configuration ......,Both sides agreed to path。
At last,Temporary solution:logpath = /var/log/nginx/error.log,Follow the path to create this "error.log" file to。At least not immediately being given。
https://service.imydl.com/yunwei/594.html
It is copied ~